CN113206838B - Data encryption and decryption method and system for Web system - Google Patents
Data encryption and decryption method and system for Web system Download PDFInfo
- Publication number
- CN113206838B CN113206838B CN202110394186.3A CN202110394186A CN113206838B CN 113206838 B CN113206838 B CN 113206838B CN 202110394186 A CN202110394186 A CN 202110394186A CN 113206838 B CN113206838 B CN 113206838B
- Authority
- CN
- China
- Prior art keywords
- data
- encrypted
- encryption
- web
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/958—Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
A data encryption and decryption method and system for a Web system: the Web filter intercepts a data submission HTTP request submitted by a client, inquires data encryption and decryption configuration information, determines which data in the submitted data need to be encrypted, and calls a password component to encrypt the data needing to be encrypted to form a new data submission HTTP request; the method comprises the steps that a Web filter intercepts a data query HTTP request submitted by a client, queries data encryption and decryption configuration information, determines which data in query data of the query request need to be encrypted, and then calls a password component to encrypt the data needing to be encrypted to form a new data query HTTP request; the Web filter intercepts HTTP response returned by the Web system, inquires data encryption and decryption configuration information, determines which data in the HTTP response need to be decrypted, and calls a password component to decrypt the data needing to be decrypted; the searchable data is first word-segmented and then the data block after word segmentation is encrypted.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a data encryption and decryption method and system for a Web system.
Background
For network application systems, data security is very important, and the most effective technical means for securing data stored in the application system (such as data in a database) is to encrypt the stored data and decrypt the encrypted data when the data is needed.
Although data encryption is the most effective technical means for protecting data security, the following problems exist in practical application: firstly, a large variety of systems are deployed at present, and data encryption and decryption functions are added to the deployed systems, which involve code modification and system redeployment, and are very troublesome or difficult for many system operators; secondly, the cryptographic technology is a relatively professional technology, most technicians are unfamiliar with the cryptographic technology, and few people are familiar with the cryptographic technology, so that the difficulty of adding data encryption and decryption functions in the system is increased; thirdly, codes (such as Web pages) related to data operation (such as reading and writing) are usually many, and data encryption and decryption codes are dispersed to different places of a program and different Web pages of a system, so that the difficulty is increased for maintaining the data encryption and decryption codes; fourthly, different encryption and decryption codes are compiled for different systems, and the codes cannot be reused, so that resource waste is caused; fifthly, data encryption may affect the searchability of data; sixth, data encryption and decryption generally affect the speed of data storage and acquisition.
Disclosure of Invention
The invention aims to provide a corresponding solution for the problem of application of a data encryption technology in a Web system, wherein the Web system provides a predetermined application or service function system through the Web technology.
Aiming at the purpose of the invention, the technical scheme provided by the invention comprises a data encryption and decryption method facing a Web system and a corresponding system.
The data encryption and decryption method for the Web system is specifically as follows.
The method comprises the steps that a Web filter intercepts a data submission HTTP request submitted by a client (such as a browser), queries data encryption and decryption configuration information, determines which data in the submitted data needs to be encrypted (such as which data in FORM data needs to be encrypted and which data objects in JSON data need to be encrypted), then calls a password component to encrypt the data needing to be encrypted (the data needing to be encrypted in the submitted data can be a plurality of different data, such as different fields in FORM and different data objects in JSON), then FORMs a new data submission HTTP request, and transmits the new data submission HTTP request to subsequent processing logic (processing components) for processing (such as saving to a database);
the Web filter intercepts a data query (search) HTTP request submitted by a client, queries data encryption and decryption configuration information, determines which data in query data in the data query HTTP request needs to be encrypted (i.e. whether the query for the encrypted data is related), then calls a password component to encrypt the data needing to be encrypted (the data needing to be encrypted in the query data in the submitted data query HTTP request can be a plurality of different data, such as different fields in a FORM and different data objects in a JSON), then FORMs a new data query HTTP request, and transmits the new data query HTTP request to subsequent processing logic (processing component) for processing (such as querying and searching data stored in a database);
the Web filter intercepts an HTTP response returned by the Web system, queries data encryption and decryption configuration information, determines which data in the HTTP response need to be decrypted (namely which data need to be encrypted), then calls a password component to decrypt the data needing to be decrypted (the data needing to be decrypted in the response can be a plurality of different data, such as different fields in a FORM and different data objects in a JSON), then FORMs a new HTTP response, and returns the new HTTP response;
the Web filter is a component (for example, developed by using Web filter technology of a Web server or a Web operating environment) which is located in an HTTP request and response transmission channel and encrypts and decrypts data in a Web server (of a Web system);
the password component is a component (a software component or a combination of software and hardware) for providing data encryption and decryption functions;
the data encryption and decryption configuration information is provided with information related to data encryption and decryption processing.
For the above data encryption and decryption method for the Web system, the Web filter is determined by querying data encryption and decryption configuration information (e.g. by setting HTTP request URL in the configuration information and setting data field in HTTP request): the HTTP requests include data that needs to be encrypted and which data in the HTTP requests needs to be encrypted, which data query HTTP requests need to be encrypted and which query data in the data query HTTP requests need to be encrypted (i.e., which data query HTTP requests and which query data relate to queries for encrypted data), and the HTTP responses corresponding to which HTTP requests include encrypted data that needs to be decrypted and which data in the responses need to be decrypted (i.e., which HTTP responses need to be decrypted and which data in the responses are encrypted data, i.e., ciphertext data).
For the data encryption and decryption method facing the Web system, for data needing to be encrypted in a data submission HTTP request or a data query HTTP request, the Web filter further determines whether the data needing to be encrypted is searchable or not (namely whether the encrypted data is queried or searched or whether the encrypted data is queried or searched for the encrypted searchable data or whether the encrypted data is queried or searched for the searchable data, and the query data for the encrypted searchable data is also searchable data and also needs corresponding word segmentation and encryption processing), if not, the Web filter calls a password component to encrypt the non-searchable data needing to be encrypted, if so, the Web filter calls the word segmentation component to perform word segmentation processing on the searchable data needing to be encrypted, and then calls the password component to perform encryption processing on each data component part, namely, data block obtained after word segmentation processing, then combining the (encrypted) data blocks obtained after the respective encryption processing to form final encrypted data;
the word segmentation processing means that data representing a sentence is divided into a plurality of data components, namely data blocks, according to a predetermined (language) rule and rule, and each data component, namely data block, has a maximum length limit (not more than the maximum length, but may be less than the maximum length); the word segmentation component is a component for performing word segmentation processing on data.
For the above data encryption and decryption method for the Web system, the cryptographic algorithm, encryption method and key used for encrypting the searchable data and the non-searchable data to be encrypted in the data submission HTTP request or the data query HTTP request do not have to be the same.
For the data encryption and decryption method facing the Web system, searchable data needing to be encrypted in an HTTP request is submitted or queried for data, the Web filter counts the occurrence frequency of data of different data blocks obtained after word segmentation, caches plaintext and corresponding ciphertext (namely data before and after encryption) of the data of the different data blocks obtained by grouping, and performs rapid encryption processing on the data blocks by utilizing the cached plaintext and ciphertext (plaintext is directly replaced by the ciphertext without calling a password component for encryption);
when the number of the cache data blocks exceeds a preset threshold (how the threshold is set depends on the requirements of specific implementation, which is something other than the present invention), the Web filter removes the cache data of the data blocks with low occurrence frequency (the removed cache data includes the plaintext and the corresponding ciphertext data of the data blocks obtained by word segmentation, and the corresponding frequency statistical data);
the frequency of the data block data is the number of times of the data block data in a specified time period;
the low-frequency data block refers to the data block with the frequency of appearance arranged behind (as to how many data blocks with the frequency of appearance arranged behind are cleared, which is a matter outside the invention depending on the requirements of the specific implementation).
For the data encryption and decryption method for the Web system, the data encryption and decryption configuration information is provided with participle keywords (Key Words), and when carrying out participle processing on searchable data, a participle component separates the participle keywords appearing in the data as independent data components, namely data blocks, for processing (the participle keywords are only one of the methods adopted by the participle processing but not all, and the participle is mainly based on language rules and rules); the word segmentation keywords are divided into keywords needing encryption and keywords needing non-encryption, the Web filter encrypts the keywords needing encryption separated from the searchable data needing encryption, and the Web filter does not encrypt the keywords needing encryption as to the keywords needing non-encryption separated from the searchable data needing encryption (correspondingly, the Web filter does not need to decrypt the keywords appearing in the encrypted searchable data); for non-encrypted keywords, the Web filter does not perform buffering of plaintext and corresponding ciphertext (this is evident regardless of encryption and decryption).
For the data encryption and decryption method facing the Web system, the Web filter counts the frequency of the occurrence of search keywords appearing in searchable data needing to be encrypted in a data query HTTP request, and for the search keywords which have high frequency of occurrence and do not appear in word segmentation keywords, the Web filter adds the search keywords as the keywords needing to be encrypted into the word segmentation keywords;
the frequency of occurrence of a search keyword refers to the number of times the search keyword occurs within a prescribed time period;
the search keyword with high frequency of occurrence refers to a search keyword with a frequency of occurrence higher than a predetermined threshold (as to what the threshold is, depending on the requirements of the specific implementation, it is a matter outside the present invention).
For the above data encryption and decryption method for the Web system, for the encrypted data to be decrypted in the HTTP response, the Web filter further determines whether the encrypted data is searchable through the data encryption and decryption configuration information, if not, the Web filter calls the cryptographic component to decrypt the encrypted non-searchable data, if so, the Web filter calls the cryptographic component to decrypt each encrypted data block (after word segmentation) in the encrypted searchable data respectively, and then combines the decrypted data blocks to form the final decrypted data.
For the above data encryption and decryption method for the Web system, for searchable data to be decrypted in an HTTP response, the Web filter counts the occurrence frequency of different encrypted data block data (i.e., data blocks to be decrypted) in the response, caches ciphertext and corresponding plaintext of the different (after word segmentation) encrypted data block data, and performs fast decryption processing on the encrypted data block by using the cached ciphertext and plaintext (directly replaces the ciphertext with the plaintext, without calling a password component for decryption);
when the number of the cached encrypted data (i.e. the encrypted data) exceeds a predetermined threshold (how the threshold is set depends on the requirements of the specific implementation, which is something other than the present invention), the Web filter removes the cached data of the encrypted data block with low occurrence frequency (the removed cached data includes the ciphertext and the corresponding plaintext of the encrypted data block data, and the corresponding frequency statistic data);
the frequency of occurrence of an encrypted block data is the number of times the encrypted block data occurs within a prescribed period of time;
the encrypted data block with low occurrence frequency refers to the encrypted data block with low occurrence frequency arranged in the following (as to how many encrypted data blocks with low occurrence frequency arranged in the following are cleared, which is a matter outside the invention depending on the requirements of the specific implementation).
For the above data encryption and decryption method for the Web system, if the page returned by the HTTP response relates to data query search (i.e. is provided with a data query search function), and the Web filter cannot distinguish from the data query HTTP request submitted by the user through the original response page which query data (e.g. search keyword, keyword) in the query request are not required to be encrypted (i.e. belong to query data for non-encrypted data), which query data are required to be encrypted (i.e. belong to query data for encrypted data), and which query data are required to be encrypted are searchable (i.e. belong to query data for encrypted searchable data), the Web filter inserts a code (HTML code, script program) in the page returned by the HTTP response, modifies the returned page, so that the Web filter can make an up query from the query data in the data query HTTP request submitted by the user through the returned page And (5) distinguishing.
The data encryption and decryption system for the Web system can be constructed based on the data encryption and decryption method for the Web system, and comprises a Web filter, a password component, a word segmentation component and an encryption configuration manager (manager); the encryption configuration manager manages the data encryption and decryption configuration information, and the data encryption and decryption configuration information is generated, modified and stored; the data encryption and decryption configuration information is stored in a file or database data form and is loaded into a Web system (a memory) by a Web filter;
when a client submits data, inquires data and acquires data through an HTTP request, the data encryption system encrypts the data needing to be encrypted in the HTTP request according to the data encryption and decryption method for the Web system and decrypts the data needing to be decrypted in the HTTP response.
From the above description, it can be seen that the present invention does: the Web filter enables a Web system to be added with the functions of automatic data encryption and decryption under the condition of not modifying program codes; the data encryption and decryption functions can be realized by professional personnel, and common programmers can concentrate on business logic without concerning the encryption and decryption processing of data; the codes for data encryption and decryption processing are concentrated in a Web filter, so that the maintenance of the encryption and decryption codes is easier; through data encryption and decryption configuration information, a set of codes can be used for different systems; the word segmentation is carried out firstly, and then the encryption is carried out, so that the searching function of the data is kept (the encryption of course has adverse effect on the data searching capability); the speed of data encryption and decryption processing is improved through the cache of common plaintext and ciphertext.
Drawings
FIG. 1 is a schematic diagram of the system of the present invention.
Detailed Description
The following further describes embodiments of the present invention.
The data encryption and decryption process implemented according to the present invention is specifically as follows.
The method comprises the steps that a Web filter intercepts a data submission HTTP request submitted by a client (such as a browser), queries data encryption and decryption configuration information, determines which data in the submitted data needs to be encrypted (such as which data in FORM data needs to be encrypted and which data objects in JSON data need to be encrypted), then calls a password component to encrypt the data needing to be encrypted (the data needing to be encrypted in the submitted data can be a plurality of different data, such as different fields in FORM and different data objects in JSON), then FORMs a new data submission HTTP request, and transmits the new data submission HTTP request to subsequent processing logic (processing components) for processing (such as saving to a database);
the Web filter intercepts a data query (search) HTTP request submitted by a client, queries data encryption and decryption configuration information, determines which data in query data in the data query HTTP request needs to be encrypted (i.e. whether the query for the encrypted data is related), then calls a password component to encrypt the data needing to be encrypted (the data needing to be encrypted in the query data in the submitted data query HTTP request can be a plurality of different data, such as different fields in a FORM and different data objects in a JSON), then FORMs a new data query HTTP request, and transmits the new data query HTTP request to subsequent processing logic (processing component) for processing (such as querying and searching data stored in a database);
the Web filter intercepts an HTTP response returned by the Web system, queries data encryption and decryption configuration information, determines which data in the HTTP response need to be decrypted (namely which data need to be encrypted), then calls a password component to decrypt the data needing to be decrypted (the data needing to be decrypted in the response can be a plurality of different data, such as different fields in a FORM and different data objects in a JSON), then FORMs a new HTTP response, and returns the new HTTP response;
the Web filter is a component (for example, developed by using Web filter technology of a Web server or a Web operating environment) in a Web server (of a Web system) located in an HTTP request and response transmission channel and used for encrypting and decrypting data;
the above-mentioned cryptographic component is a component (software component or a component combining software and hardware) providing data encryption and decryption functions;
the data encryption/decryption configuration information is provided with information related to data encryption/decryption processing.
For the above data encryption and decryption oriented to the Web system, the Web filter is determined by querying the data encryption and decryption configuration information (e.g. by the HTTP request URL set in the configuration information and the data field in the set HTTP request): the HTTP requests include data that needs to be encrypted and which data in the HTTP requests needs to be encrypted, which data query HTTP requests need to be encrypted and which query data in the data query HTTP requests need to be encrypted (i.e., which data query HTTP requests and which query data relate to queries for encrypted data), and the HTTP responses corresponding to which HTTP requests include encrypted data that needs to be decrypted and which data in the responses need to be decrypted (i.e., which HTTP responses need to be decrypted and which data in the responses are encrypted data, i.e., ciphertext data).
For the data encryption and decryption oriented to the Web system, for the data needing to be encrypted in the HTTP request or the HTTP request for data query, the Web filter further determines whether the data needing to be encrypted is searchable or not (that is, whether the encrypted data is queried or searched or whether the encrypted data is queried or searched for the searchable data, and the query data for the searchable data after encryption is also searchable and also needs corresponding word segmentation and encryption processing) through data encryption and decryption configuration information, if not, the Web filter calls a password component to encrypt the non-searchable data needing to be encrypted, if so, the Web filter calls a word segmentation component to perform word segmentation processing on the searchable data needing to be encrypted, and then calls the password component to perform the word segmentation processing to obtain each data component, namely, data block respectively, then combining the (encrypted) data blocks obtained after the respective encryption processing to form final encrypted data;
the word segmentation processing means that data representing a sentence is divided into a plurality of data components, i.e., data blocks, according to a predetermined (language) rule, and each data component, i.e., data block, has a maximum length limit (not greater than the maximum length, but may be less than the maximum length); the word segmentation component is a component for performing word segmentation processing on data.
For the above data encryption and decryption for the Web system, the cryptographic algorithm, the encryption method and the key used for encrypting the searchable data and the non-searchable data that need to be encrypted in the data submission HTTP request or the data query HTTP request do not need to be the same.
For the data encryption and decryption oriented to the Web system, searchable data needing to be encrypted in an HTTP request or a data query HTTP request is submitted to data, the Web filter counts the occurrence frequency of data of different data blocks obtained after word segmentation, caches plaintext and corresponding ciphertext (namely data before and after encryption) of the data of the different data blocks obtained by grouping, and performs rapid encryption processing on the data blocks by using the cached plaintext and ciphertext (plaintext is directly replaced by the ciphertext without calling a password component for encryption);
when the number of the cache data blocks exceeds a preset threshold (how the threshold is set depends on the requirements of specific implementation, which is something other than the present invention), the Web filter removes the cache data of the data blocks with low occurrence frequency (the removed cache data includes the plaintext and the corresponding ciphertext data of the data blocks obtained by word segmentation, and the corresponding frequency statistical data);
the frequency of the data block data is the number of times of the data block data in a specified time period;
the data blocks with low occurrence frequency are the data blocks with low occurrence frequency arranged in the back (as to how many data blocks with low occurrence frequency arranged in the back are cleared, which is a matter outside the invention depending on the requirements of the specific implementation).
For the data encryption and decryption oriented to the Web system, the data encryption and decryption configuration information is provided with word segmentation keywords (Key Words), and when performing word segmentation processing on searchable data, the word segmentation component separates and processes the word segmentation keywords appearing in the data as independent data components, namely data blocks (the word segmentation keywords are only one of the methods adopted by the word segmentation processing but not all, and the word segmentation is mainly based on language rules and rules); the word segmentation keywords are divided into keywords to be encrypted and non-encrypted keywords, the Web filter encrypts the keywords to be encrypted separated from the searchable data to be encrypted, and the Web filter does not encrypt the non-encrypted keywords separated from the searchable data to be encrypted (correspondingly, the Web filter does not need to decrypt the non-encrypted keywords appearing in the encrypted searchable data); for non-encrypted keywords, the Web filter does not perform buffering of plaintext and corresponding ciphertext (this is evident regardless of encryption and decryption).
For the data encryption and decryption facing the Web system, the Web filter counts the occurrence frequency of search keywords appearing in searchable data needing to be encrypted in a data query HTTP request, and for the search keywords which appear frequently and do not appear in word segmentation keywords, the Web filter adds the search keywords into the word segmentation keywords as the keywords needing to be encrypted;
the frequency of occurrence of a search keyword refers to the number of times the search keyword occurs within a prescribed time period;
the search keyword having a high frequency of occurrence mentioned above is a search keyword having a frequency of occurrence higher than a predetermined threshold (as to what the threshold is, depending on the requirements of the specific implementation, it is a matter other than the present invention).
For the above data encryption and decryption for the Web system, for the encrypted data to be decrypted in the HTTP response, the Web filter further determines whether the encrypted data is searchable through the data encryption and decryption configuration information, if not, the Web filter calls the cryptographic component to decrypt the encrypted non-searchable data, and if so, the Web filter calls the cryptographic component to decrypt each encrypted data block (after word segmentation) in the encrypted searchable data respectively, and then combines the decrypted data blocks to form the final decrypted data.
For the data encryption and decryption oriented to the Web system, for the searchable data needing decryption in the HTTP response, the Web filter counts the occurrence frequency of different encrypted data block data (namely, data blocks needing decryption) in the response, caches ciphertext and corresponding plaintext of the different encrypted data block data (after word segmentation), and uses the cached ciphertext and plaintext to perform rapid decryption processing on the encrypted data block (directly uses plaintext to replace ciphertext, without calling a password component to perform decryption);
when the number of the cached encrypted data (i.e. the encrypted data) exceeds a predetermined threshold (how the threshold is set depends on the requirements of the specific implementation, which is something other than the present invention), the Web filter removes the cached data of the encrypted data block with low occurrence frequency (the removed cached data includes the ciphertext and the corresponding plaintext of the encrypted data block data, and the corresponding frequency statistic data);
the frequency of occurrence of an encrypted block data is the number of times the encrypted block data occurs within a prescribed time period;
the encrypted data block with low occurrence frequency is the encrypted data block with occurrence frequency arranged in the following (as to how many encrypted data blocks with occurrence frequency arranged in the following are cleared, depending on the requirements of the specific implementation, it is a matter outside the present invention).
For the above mentioned data encryption and decryption facing the Web system, if the page returned by the HTTP response relates to data query search (i.e. is provided with a data query search function), and the Web filter cannot distinguish from the data query HTTP request submitted by the user through the original response page which query data (e.g. search keyword, keyword) in the query request are not required to be encrypted (i.e. belong to query data for non-encrypted data), which query data are required to be encrypted (i.e. belong to query data for encrypted data), and which query data are searchable (i.e. belong to query data for encrypted searchable data), the Web filter inserts a code (HTML code, script program) in the page returned by the HTTP response, modifies the returned page, so that the Web filter can make the above mentioned region from the query data in the data query HTTP request submitted by the user through the returned page And (4) dividing.
The above specific implementation of the data encryption and decryption process for the Web system relates to the specific implementation of a Web filter, a password component, a word segmentation component and an encryption configuration manager (manager), wherein the specific implementation of the Web filter depends on a Web Server (such as an Apache Http Server and an IIS Server) and a Web operating environment (such as a JSP/Servlet Web container, an asp.net operating environment, etc.) adopted by the Web system, and the Web filter mechanism provided by the Web Server and the Web filter mechanism provided by the Web operating environment can be utilized; the encryption configuration manager is responsible for managing the data encryption and decryption configuration information, which comprises the steps of generating, modifying and storing the data encryption and decryption configuration information, wherein the data encryption and decryption configuration information can be an independent system or a component in a Web application system, is stored in a file or database data form and is loaded into the Web system (a memory) by a Web filter; the password component and the word segmentation component can be dynamically loaded system components or can be an independently operated system; a data encryption and decryption system oriented to a Web system is constructed by implementing a Web filter, a password component, a word segmentation component and an encryption configuration manager (manager).
Other specific technical implementations not described are well known to those skilled in the relevant art and will be apparent to those skilled in the relevant art.
Claims (11)
1. A data encryption and decryption method for a Web system is characterized by comprising the following steps:
the Web filter intercepts a data submission HTTP request submitted by a client, queries data encryption and decryption configuration information, determines which data in the submitted data need to be encrypted, then calls a password component to encrypt the data needing to be encrypted, then forms a new data submission HTTP request, and transmits the new data submission HTTP request to subsequent processing logic for processing;
the Web filter intercepts a data query HTTP request submitted by a client, queries data encryption and decryption configuration information, determines which data in query data in the data query HTTP request need to be encrypted, then calls a password component to encrypt the data needing to be encrypted, then forms a new data query HTTP request, and transmits the new data query HTTP request to subsequent processing logic for processing;
the Web filter intercepts HTTP response returned by the Web system, inquires data encryption and decryption configuration information, determines which data in the HTTP response need to be decrypted, then calls a password component to decrypt the data needing to be decrypted, then forms a new HTTP response, and returns the new HTTP response;
the Web filter is a component which is positioned in an HTTP request and response transmission channel in the Web server and used for encrypting and decrypting data;
the password component is a component for providing data encryption and decryption functions;
the data encryption and decryption configuration information is provided with information related to data encryption and decryption processing;
and the password component and the data encryption and decryption configuration information are positioned at the Web server side where the Web filter is positioned.
2. The data encryption and decryption method for the Web system according to claim 1, wherein:
the Web filter determines through inquiring data encryption and decryption configuration information: the HTTP requests include data that needs to be encrypted and which data in the HTTP requests needs to be encrypted, the data query HTTP requests need to be encrypted and which query data in the data query HTTP requests need to be encrypted, and the HTTP responses corresponding to the HTTP requests include encrypted data that needs to be decrypted and which data in the responses need to be decrypted.
3. The data encryption and decryption method for the Web system according to claim 1, wherein:
for data needing to be encrypted in a data submission HTTP request or a data query HTTP request, the Web filter further determines whether the data needing to be encrypted is searchable or not through data encryption and decryption configuration information, if not, the Web filter calls a password component to encrypt the non-searchable data needing to be encrypted, if yes, the Web filter calls a word segmentation component to perform word segmentation on the searchable data needing to be encrypted, then the password component is called to perform word segmentation to obtain each data component part, namely a data block, and the data blocks obtained after the word segmentation are respectively encrypted, and then the data blocks obtained after the respective encryption are combined to form final encrypted data;
the word segmentation processing means that data representing a sentence is divided into a plurality of data components, namely data blocks according to a preset rule and a preset rule, and each data component, namely data block has a maximum length limit; the word segmentation component is a component for performing word segmentation processing on data.
4. The data encryption and decryption method for the Web system according to claim 3, wherein:
the cryptographic algorithm, encryption method and key used for encrypting the searchable data and the non-searchable data which need to be encrypted in the data submission HTTP request or the data query HTTP request do not have to be the same.
5. The data encryption and decryption method for the Web system according to claim 3, wherein:
for searchable data needing to be encrypted in a data submission HTTP request or a data query HTTP request, the Web filter counts the occurrence frequency of data of different data blocks obtained after word segmentation, caches plaintext and corresponding ciphertext of the data of the different data blocks obtained by grouping, and performs rapid encryption processing on the data blocks by utilizing the cached plaintext and ciphertext;
when the number of the cache data blocks exceeds a preset threshold value, the Web filter clears the cache data of the data blocks with low occurrence frequency;
the frequency of the data block data is the number of times of the data block data in a specified time period;
the data block with low occurrence frequency refers to the data block with low occurrence frequency arranged in the back.
6. The data encryption and decryption method for the Web system according to claim 5, wherein:
the data encryption and decryption configuration information is provided with word segmentation keywords, and the word segmentation component separates the word segmentation keywords appearing in the data as independent data components, namely data blocks, for processing when performing word segmentation processing on the searchable data; the word segmentation keywords are divided into keywords to be encrypted and non-encrypted keywords, the Web filter encrypts the keywords to be encrypted separated from the searchable data to be encrypted, and the Web filter does not encrypt the non-encrypted keywords separated from the searchable data to be encrypted; and for the non-encrypted keywords, the Web filter does not perform caching processing on the plaintext and the corresponding ciphertext.
7. The data encryption and decryption method for the Web system according to claim 6, wherein:
the Web filter counts the frequency of occurrence of search keywords appearing in searchable data needing to be encrypted in a data query HTTP request, and for the search keywords which have high frequency of occurrence and do not appear in the word segmentation keywords, the Web filter adds the search keywords into the word segmentation keywords as the keywords needing to be encrypted;
the frequency of occurrence of a search keyword refers to the number of times the search keyword occurs within a prescribed time period;
the search keyword having a high frequency of occurrence is a search keyword having a frequency of occurrence higher than a predetermined threshold value.
8. The data encryption and decryption method for the Web system according to claim 6, wherein:
for the encrypted data needing to be decrypted in the HTTP response, the Web filter further determines whether the encrypted data is searchable through the data encryption and decryption configuration information, if not, the Web filter calls a password component to decrypt the encrypted non-searchable data, if yes, the Web filter calls the password component to decrypt each encrypted data block in the encrypted searchable data respectively, and then the decrypted data blocks are combined to form the final decrypted data.
9. The data encryption and decryption method for the Web system as claimed in claim 8, wherein:
for searchable data needing to be decrypted in the HTTP response, the Web filter counts the occurrence frequency of different encrypted data block data in the response, caches ciphertext and corresponding plaintext of the different encrypted data block data, and rapidly decrypts the encrypted data block by using the cached ciphertext and plaintext;
when the number of the cached encrypted data exceeds a preset threshold value, the Web filter clears the cached data of the encrypted data block with low occurrence frequency;
the frequency of occurrence of an encrypted block data is the number of times the encrypted block data occurs within a prescribed time period;
the encrypted data block with low occurrence frequency refers to the encrypted data block with the occurrence frequency arranged in the following.
10. The data encryption and decryption method for the Web system according to claim 3, wherein:
if the page returned by the HTTP response relates to data query searching, and the Web filter cannot distinguish which query data in the query request is not required to be encrypted and which query data is required to be encrypted from the data query HTTP request submitted by the user through the original response page, and can search which query data required to be encrypted, the Web filter inserts codes into the page returned by the HTTP response and modifies the returned page, so that the Web filter can distinguish the query data in the data query HTTP request submitted by the user through the returned page.
11. A data encryption and decryption system for a Web system based on the data encryption and decryption method for a Web system according to any one of claims 1 to 10, characterized in that:
the data encryption and decryption system comprises a Web filter, a password component, a word segmentation component and an encryption configuration manager; the encryption configuration manager manages the data encryption and decryption configuration information, and the data encryption and decryption configuration information is generated, modified and stored; the data encryption and decryption configuration information is stored in the form of a file or database data and is loaded into a Web system by a Web filter;
when a client submits data, inquires data and acquires data through an HTTP request, the data encryption and decryption system encrypts the data needing to be encrypted in the HTTP request according to the data encryption and decryption method facing the Web system and decrypts the data needing to be decrypted in the HTTP response.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110394186.3A CN113206838B (en) | 2021-04-13 | 2021-04-13 | Data encryption and decryption method and system for Web system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110394186.3A CN113206838B (en) | 2021-04-13 | 2021-04-13 | Data encryption and decryption method and system for Web system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113206838A CN113206838A (en) | 2021-08-03 |
| CN113206838B true CN113206838B (en) | 2022-07-05 |
Family
ID=77026673
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110394186.3A Active CN113206838B (en) | 2021-04-13 | 2021-04-13 | Data encryption and decryption method and system for Web system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113206838B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103392320A (en) * | 2010-12-29 | 2013-11-13 | 思杰系统有限公司 | Systems and methods for multi-level tagging of encrypted items for additional security and efficient encrypted item determination |
| CN107070848A (en) * | 2015-10-09 | 2017-08-18 | Sap欧洲公司 | For analytical web applications encryption data |
| CN109698863A (en) * | 2018-12-20 | 2019-04-30 | 杭州迪普科技股份有限公司 | A kind of method, apparatus, equipment and the storage medium of determining HTTP message safety |
| CN109861945A (en) * | 2017-11-22 | 2019-06-07 | 浙江智贝信息科技有限公司 | A kind of distributed code operation and interactive safety method and its system |
| CN110110550A (en) * | 2019-04-19 | 2019-08-09 | 深圳华中科技大学研究院 | It is a kind of support cloud storage can search for encryption method and system |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020172363A1 (en) * | 2001-05-15 | 2002-11-21 | Dierks Timothy M. | Data security on a mobile device |
| CN105340213B (en) * | 2013-02-27 | 2020-04-24 | 希佩尔图斯公司 | Method and device for secure data transmission |
| CN104217173B (en) * | 2014-08-27 | 2018-04-17 | 武汉理工大学 | A kind of data and file encrypting method for browser |
| CN104158827B (en) * | 2014-09-04 | 2018-07-31 | 中电长城网际系统应用有限公司 | Ciphertext data sharing method, device, inquiry server and upload data client |
| US10061852B1 (en) * | 2015-05-19 | 2018-08-28 | Amazon Technologies, Inc. | Transparent proxy tunnel caching for database access |
| CN108304733B (en) * | 2018-01-23 | 2020-06-02 | 深圳大普微电子科技有限公司 | Encrypted data searching method and data storage system capable of encrypted searching |
| CN112016113B (en) * | 2020-09-28 | 2024-04-16 | 同盾控股有限公司 | Data encryption and decryption method, device and system |
-
2021
- 2021-04-13 CN CN202110394186.3A patent/CN113206838B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103392320A (en) * | 2010-12-29 | 2013-11-13 | 思杰系统有限公司 | Systems and methods for multi-level tagging of encrypted items for additional security and efficient encrypted item determination |
| CN107070848A (en) * | 2015-10-09 | 2017-08-18 | Sap欧洲公司 | For analytical web applications encryption data |
| CN109861945A (en) * | 2017-11-22 | 2019-06-07 | 浙江智贝信息科技有限公司 | A kind of distributed code operation and interactive safety method and its system |
| CN109698863A (en) * | 2018-12-20 | 2019-04-30 | 杭州迪普科技股份有限公司 | A kind of method, apparatus, equipment and the storage medium of determining HTTP message safety |
| CN110110550A (en) * | 2019-04-19 | 2019-08-09 | 深圳华中科技大学研究院 | It is a kind of support cloud storage can search for encryption method and system |
Non-Patent Citations (1)
| Title |
|---|
| 基于.NET的SOAP加密方法研究与实现;孟军等;《计算机科学》(第08期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113206838A (en) | 2021-08-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10498706B2 (en) | Searchable encryption enabling encrypted search based on document type | |
| US10614135B2 (en) | Wildcard search in encrypted text using order preserving encryption | |
| US11144663B2 (en) | Method and system for search pattern oblivious dynamic symmetric searchable encryption | |
| US10664610B2 (en) | Method and system for range search on encrypted data | |
| US8769302B2 (en) | Encrypting data and characterization data that describes valid contents of a column | |
| CN111327616A (en) | Key management method, device, equipment and computer readable storage medium | |
| CN112583809B (en) | Data encryption and decryption method of non-immersion multiple encryption algorithms | |
| CN114969128B (en) | Secure multi-party computing technology-based secret query method, system and storage medium | |
| Hahn et al. | Poly-logarithmic range queries on encrypted data with small leakage | |
| CN110635908B (en) | Management method for supporting billions of keys for electronic contract | |
| Peng et al. | LS-RQ: A lightweight and forward-secure range query on geographically encrypted data | |
| CN111052108A (en) | Data processing device, data processing method, and data processing program | |
| CN113206838B (en) | Data encryption and decryption method and system for Web system | |
| Sanamrad et al. | Query log attack on encrypted databases | |
| Chen et al. | Rasp-boost: Confidential boosting-model learning with perturbed data in the cloud | |
| JP4552044B2 (en) | Encrypted data creation device and method, and program thereof | |
| Boucenna et al. | Access Pattern Hiding in Searchable Encryption | |
| Mallaiah et al. | Word and Phrase Proximity Searchable Encryption Protocols for Cloud Based Relational Databases | |
| Shih et al. | Approximate Multi-Keyword Rank Search on Encrypted Cloud Data | |
| Kumbhar et al. | Improving Efficiency of TRSE Scheme by Employing Public Key Compression Technique for Fully Homomorhphic Encryption over the Integers | |
| CN114647866A (en) | Data encryption and encrypted data query method and system | |
| CN117592086A (en) | Data reading and writing method, system and storage medium of database | |
| Soma | Panel Statement: Increasing test coverage in a VLSI design course | |
| CN115688132A (en) | Database field encryption method and device supporting SQL query | |
| CN115269504A (en) | Document uploading and storing method, query downloading method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |